Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.
Get a Secureframe demoAs Mike Wright, CIO of McKinsey and Company, opines, “For many organizations, IT is a black box, which can lead to a lot of questions about what you are doing and why.”
Where customer data is involved, these questions embody doubts, which, when left unresolved, erode trust. One way to build customer trust is by adhering to relevant SOC 2 trust principles.
So, what are SOC 2 trust service principles?
In this article, we’ll delve into the nuances of the five trust service principles. We’ll also discuss what each principle entails, who it applies to, and the criteria tested as part of each principle. The goal is to help you determine which trust principles apply to your organization and how you can meet their specified standards.
SOC 2 compliance is unique to each organization. Because of this, there’s no one-size-fits-all formula for selecting the trust service principles for SOC 2 examination.
The trust principles you select inform your attestation criteria. Your trust service criteria must also be suitable and available to report users.
The American Institute of Certified Public Accountants (AICPA) defines the attributes of suitable criteria as follows:
Trust service principles are categories in SOC 2 compliance control criteria used to evaluate relevant controls for information and systems.
The AICPA specifies five main principles, namely:
Your organization isn’t required to audit and certify every trust service principle in the SOC audit report.
Security is the only principle that is required to become SOC 2 compliant. The others are optional.
That said, you should select principles that are relevant to the services you provide or the demands of the users you serve.
For example, if you store data for clients but don't process it, then availability would be a key principle. Something like processing integrity wouldn't be applicable.
The rule of thumb is that you don't need to include every trust service principle. If a client is asking for all of the TSP, chances are they don’t understand what they need.
In this case, you have to explain to the customer what each principle means and when it's applicable. The goal is to help them understand what they need and, more importantly, what they don’t need for their business.
Having in-depth knowledge of the trust principles comes in handy for this.
SOC 2 requirements revolve around the five Trust Services Principles.
Your attestation criteria is as simple or complex as the trust principles you choose. The simplest you can get is testing for the security alone, which is mandatory.
However, based on factors such as the services you provide, user entity demands, contractual obligations, or legal requirements, you may have to add one or all of the other four.
As a result, a complete set of SOC 2 criteria consists of:
Trust service category
Common criteria
Additional category-specific criteria
Applicable
Not applicable
Applicable
A series
Applicable
PI series
Applicable
C series
Applicable
P series
Let’s discuss the fine details of each Trust Service Principle, starting with security.
The Microsoft data breach in 2019, which exposed over 250 million user records, was a wake-up call to technology-based organizations. It served as evidence that no organization is immune from data breaches.
As a SaaS provider, all you can do is implement useful data security systems and internal controls to repel these threats.
Your customers want to see evidence of proper security systems before they will ink any deal with you. This is where the security TSP comes in handy.
Security refers to the protection of data during its creation, gathering, processing, storage, use, and transmission. It provides criteria you can use to audit and evaluate how effective your security system is for protecting user data.
The criteria tested as part of the security TSP are defined as the common criteria (CC-series).
Common criteria
The common criteria guides you when developing, implementing, and operating controls over security. It provides the specific criteria sections suitable for auditing and evaluating security control to achieve systems objectives.
Common criteria lays out the 17 internal control principles of the Committee of Sponsoring Organization of the Treadway Commission (COSO) framework.
It provides the criteria for addressing:
As Mark Russinovich, Chief Technology Officer at Microsoft Azure, states, “Service incidents like outages, are an unfortunate inevitability of the technology industry.” In other words, you cannot guarantee 100% system uptime.
However, your clients want data and system resources to be available for operation. This is especially true for cloud service providers who provide cloud computing or cloud data storage services.
If you offer a continuous delivery and/or continuous deployment (CI/CD) platform, an outage prevents clients from building or deploying changes to their services. Your clients will require you to add the availability in a SOC 2 report as an assurance of minimal service disruption.
Availability TSP refers to the accessibility of resources and data your systems use, as well as services and products you provide to clients. It gives clients assurance that you’ll reach the performance levels required to meet their needs.
This TSP doesn’t define the minimum acceptable performance levels. Instead, it leaves room for service providers and user entities to set and agree upon the required levels. However, it also requires your systems have the proper controls to facilitate accessibility for monitoring, operations, and maintenance.
To help you prepare for SOC 2 attestation, AICPA states three additional criteria for availability (A-series).
You should:
If you provide financial reporting services or ecommerce, you should strive to maintain internal quality assurance.
For example, if you provide a financial application, you should make sure system processing is correct, timely, complete, valid, and authorized to meet the laid out standards. These are the hallmarks of processing integrity.
Processing integrity is an indispensable trust principle in an era laden with financial fraud, such as authorized push payment (APP) fraud. Your Clients will want to see this TSP in your SOC 2 report to ensure that your transaction processing is accurate.
Processing integrity helps evaluate systems to determine whether they perform the intended functions in a way that is free from delay, error, omission, and accidental manipulation.
The AICPA states five additional criteria for processing integrity, known as the PI series.
You should:
The confidentiality TSP applies to service organizations that hold confidential information.
Confidential information includes various types of sensitive data like financial reports, passwords, lists of prospective customers, business strategies, customer databases, and other intellectual property.
The confidentiality principle refers to an organization's ability to safeguard confidential information through every phase of its processing. This ranges from collection to disposal.
If you handle such user data, you should limit its access, storage, and use. It’s also a good idea to restrict its disclosure to authorized parties only.
There are two confidentiality-specific criteria (C series):
Did you know that for every dollar spent on data privacy, your organization racks up $2.70 worth of improvements on data loss, agility, mitigation and customer loyalty?
Also, 82% of your potential customers see SOC 2 certification and ISO 27701 as a buying factor when selecting a vendor.
Privacy is an indispensable component in building trust with clients. When it comes to SOC 2 compliance, the privacy principle refers to how your organization gathers, stores, uses, preserves, reveals, and disposes of personal information.
Unlike confidentiality, which covers various forms of sensitive information, privacy deals only with personal information.
The privacy criteria is broken down into the following sections (P-series):
In addition to the 17 principles presented in the COSO framework, the trust service criteria include supplemental criteria.
The supplemental criteria cover additional principles supplementing COSO principle 12 (under the control activities in common criteria).
It addresses the objectives that apply to a trust service engagement and breaks down into:
As mentioned earlier, your trust service criteria should be relevant, objective, measurable, and complete. However, with so many trust principles and categories to consider, it can be difficult to pick criteria that fit the profile. This is where Secureframe comes into the picture.
We evaluate your service organization needs along with any contractual or legal obligation to pick the right Trust Service Principles for you. Request a Secureframe demo to learn how we can help you determine which trust principles apply to your business and how you can meet the criteria.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.
Get a Secureframe demo